PDA Best Practices
PDA mistakes become full custody failures. Apply this list when designing seeds, storing bumps, and signing CPIs.
How to Use This List
- Publish seed grammar in repo
SEEDS.md. - Add tests that wrong seeds fail verification.
- Review every
invoke_signedcall in PRs.
A - Derivation
- Use unique ASCII prefix per account type. Prevents semantic collisions.
- Include all domain pubkeys needed for isolation. Stops global vault mistakes.
- Encode integers as fixed little-endian arrays. Deterministic across clients.
- Derive on-chain before trust; never trust client address alone. Core security invariant.
- Store canonical bump at initialization. Saves CU and closes bump hunting.
B - Signing
- Keep
invoke_signedinside validated instruction handlers. No public signing endpoints. - Match seed order exactly between derive and sign. Prevents flaky CPI failures.
- Append bump as single-byte seed segment. Required runtime format.
- Set signer bit on PDA account metas in CPI when needed. Runtime enforcement.
- Drop data borrows before signing CPI. Avoid runtime borrow errors.
C - Operations
- Document PDA addresses in IDL or Codama schema. Client correctness.
- Test create-init-close lifecycle on Surfpool. Catches reinit bugs.
- Revoke token mint authorities when supply fixed. Supply integrity.
- Version seed scheme for breaking changes. Migration path clarity.
- Audit upgrade authority separately from PDA logic. Governance risk.
FAQs
Anchor enough?
Still review custom seeds and CPI signers.
How many PDAs?
As needed - rent cost trade-off.
Indexer hints?
Emit events with PDA type prefix.
PDA rent?
Payer funds at create.
Close PDA?
Transfer lamports out; zero data.
Same seeds two programs?
Different addresses - intentional.
Brute force PDA?
Infeasible - bump search only.
Hardware wallet?
Signs payer not PDA.
LiteSVM PDA tests?
Supported in 0.6.x.
Public bump?
OK - security from seeds not secrecy.
Seed docs in PR template?
Recommended.
Immunefi scope?
Include PDA signing paths.
Related
- PDA Basics - Intro
- Signing with PDAs - CPI signing
- CPI Best Practices - CPI rules
Stack versions: This page was written for Agave 4.1.1, Solana CLI 3.0.10, Anchor 0.32.1, anchor-lang 0.32.1, Rust 1.91.1, @solana/kit 7.0.0, Surfpool 0.12.0, and LiteSVM 0.6.x.